# DNS

## Third-Party Tools

Use these first, as it is completely passive and uses Internet infrastructure instead of your own machine.

* DNS Dumpster \[<https://dnsdumpster.com/>]
* Shodan \[<https://www.shodan.io/>]
* Censys \[<https://censys.io/>]

## Dig

Powerful linux based tool used to gather and analyze dns records

#### Gather All Records for a Domain

This command uses `192.168.1.1` to gather information

```
dig @192.168.1.1 sec542.org -t any
dig @192.168.1.1 sec560.org +norecursive    # Turns off recursion
dig @192.168.1.1 sec560.org +recursive      # Turns on recursion
```

#### Simplified PTR Lookups

Using the `-x` flag is the same as `dig 23.1.168.192.in-addr-arpa PTR`

```
dig -x 192.168.1.23
```

#### Attempt Full Zone Transfer

Very unlikely to work, most domains *should* not allow external zone transfers. More likely to happen from the inside though. Always attempt this anyway!

```
dig @<network dns server> m4lwhere.org -t axfr
dig @<network dns server> AXFR m4lwhere.org
```

## nslookup

We can use `nslookup` from a windows host to try and gather information as well.

```
C:\Users\m4lwhere> nslookup
> server 10.0.0.1
> set type=AXFR
> ls -d goblins.local
```

## DNSrecon

Multi-threaded DNS tool written in python 3

```bash
dnsrecon -d m4lwhere.org -n 8.8.8.8
```

## DNS Brute Forcing

Attempt to enumerate DNS hostnames by guessing subdomains.

#### Gobuster

Uses gobuster for DNS subdomain, is multi-threaded 😎

```
gobuster dns -d m4lwhere.org -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
```

#### Nmap Script

Lots of switches for this command

```
nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
```